Data breaches galore! Hacked firms risk SEC fines if they don’t report the damage ASAP

Federal agencies issue hundreds, if not thousands, of regulations that businesses and customers could easily do without. There are exceptions, however: Like the data breach disclosure rule that went into effect this past fall.

The U.S. Securities and Exchange Commission (SEC) and its chair Lina Khan aren’t getting much love from corporations, Wall Street and the like these days. But the SEC’s new requirement that companies must report a significant data breach impacting customers and the public is well overdue, in our opinion.

Consider the number of very rich companies that experienced major data breaches in 2023 and how some of them handled the messes. One could argue the firms’ responses – from waiting days to inform clients and customers and in some cases going months without giving a full account – are even worse than the mistake of letting crucial data fall into the wrong hands.

For example, Samsung didn’t get around to letting British customers who bought Galaxy phones or other electronic devices in 2019 and 2020 know that their personal information may’ve been stolen until March of last year! To make matters worse, “the tech giant [has] refused to answer further questions about the incident, such as how many customers were affected or how hackers were able to gain access to its internal systems,” according to TechCrunch.

Another example: Ransomware pirates attacked MGM Resorts in Las Vegas a few months back. The attack made guests’ room keys inoperable and made it impossible to use cards to play slot machines, the bread and butter of any casino. MGM waited a month to file a report acknowledging customers’ data was compromised.

One more: Comcast is taking it on the chin following a breach. Hackers gained access to more than 35 million customers’ Social Security numbers. Class-action lawsuits are pending. Comcast has yet to file a formal report to the SEC, which could lead to a fine.

SEC disclosure rule is good news for ‘exposed’ customers

To be fair to Comcast, it tried to fix a software glitch that its cloud vendor Cisco warned about in October. The data breach occurred while Comcast techies were working on a patch that same month. Too late to stop the theft in this case.

The cybersecurity experts are right: Any company in any industry, no matter the size, is a target. Companies can lessen the risks by investing in encryption tools, and insisting that their employees create long, impossible-to-break passwords and replace them periodically.

The SEC disclosure rule requires publicly traded companies to report “material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.” A data breach that requires IT/IS staffers to respond immediately and spend hours or days repairing would qualify as a reportable event.